7. SD-WAN implementation models
9. How are SD-WANs different to other WAN technologies?
12. Why do enterprises adopt SD-WAN?
SD-WAN stands for software-defined wide area networking or, within context, network. While an SD-WAN may operate as a standalone WAN, in the real world it operates as a framework for the deployment and management of different types of WAN architectures and network technologies. The main purpose of SD-WAN is to make network management easier and more efficient, and to improve users’ online experience.
A WAN is the central hub for data aggregation from multiple sources like multiple local area networks (LANs). A LAN is a collection of connected devices in a single physical location such as an office, a hospital, a factory, or a home. A single location may also operate multiple LANs. When a network spans multiple LANs, the network becomes a WAN. A WAN link is the circuit that joins two or more LANs. In a traditional WAN, routers connect multiple LANs, enabling them to communicate with each other and with the central hub, usually a company’s head office or a data center. A traditional WAN is router centric.
Traditional WANs use public and leased lines usually with private multiprotocol label switching (MPLS) as the primary connectivity technology, and public internet protocol (IP) as a secondary connectivity method, depending on the requirements of the business. While reliable and secure, MPLS is expensive and complex to manage. While widely available and cheap, IP may be unsecure for enterprises and prone to latency issues on congested internet networks. LANs and medium-sized WANs are usually owned and operated by an organization. Large WANs are often owned and operated by a service provider; companies may use a provider’s network services at premium rates.
Traditional WANs were not originally designed to communicate with modern cloud services and a myriad of new types of connected devices in the internet of things (IoT), like personal wearables, and the industrial internet of things (IIoT), like remote sensors. Traditional WANs are unable to efficiently support today’s demands for the increasing amounts of bandwidth that cloud services and smart worlds require.
One of the main downsides to traditional WANs is that they require that traffic is backhauled from endpoints at the edge of a network to a central hub, resulting in delayed response times and poor network performance.
Because configuration in traditional WAN architecture is distributed (housed locally on individual physical routers), changes and new deployments are time consuming, and must usually be done manually on a per-device basis by on-site IT engineers.
SD-WAN was developed to address some of the limitations of traditional WANs and to increase network visibility to give IT administrators more control over endpoints, lower circuit costs, enable connections between geographically remote sites, reduce hardware dependencies, and eliminate lock-in to service provider solutions.
The main thing that makes SD-WAN different from other WANs, and is the basis for all software-defined networking (SDN) technologies, is a virtualized network overlay that sits on top of the physical network. The virtual overlay allows administrators to remotely configure, monitor, optimize, and secure the entire network via a centralized software controller, usually located at a company’s head office. An SD-WAN controller, as its name suggests, effects control of all network components. Usually, the SD-WAN controller is supported by an SD-WAN orchestration layer, which effects granular management of the network, focused particularly on the provision of application services for external customers.
The SD-WAN overlay simplifies and automates the deployment of policies across geographically distributed devices and applications. SD-WAN policies specify the behavior of endpoints, security requirements, and traffic priorities.
The SD-WAN overlay separates the control and data planes, enabling transport agnosticism, which allows intelligent traffic prioritization, application-centric routing, and easy access to in-demand cloud services. The SD-WAN overlay allows the use of any combination of new or existing connectivity methods, like MPLS, VPN, IP, 4G LTE, physical cables, and circuits from third-party carriers. Importantly, the SD-WAN overlay facilitates the selection of the best connection type for an application.
A checklist of distinguishing SD-WAN features includes the following characteristics:
- Virtualized overlay
- Centralized software control
- Separation of control and data layers
- Simplified quality of service (QoS)
- Low circuit costs
- Business-driven application policies
- Application-centric traffic routing
- Intelligent, dynamic traffic path selection
- Edge-to-edge network visibility
- Integrated monitoring tools
- Automated configuration and deployment capabilities
- End-to-end data encryption over virtual private networks (VPNs)
- Transport and connectivity agnosticism
- High-performance access to cloud services
- Location transparency for connections to geographically dispersed endpoints
- Task automation using application programming interfaces (APIs)
Before the uptake of SD-WAN during the early 2000s, company WANs operated over leased lines from independent service providers to communicate between head offices, centralized data centers, and remote sites, generically referred to as branches. The term branches encompassed satellite offices, warehouses, suppliers, retail stores, customers, and employees working from home or travelling on business. The idea of SD-WAN arose, in part, as a way for businesses to break with proprietary lock-ins to WAN solutions.
Another reason for the development of SD-WAN was a result of the new business opportunities offered by the IoT and IIoT. With the increasing adoption of digital and AI (artificial intelligence) transformation, networks needed to connect not only with traditional WAN branches, but with a growing number of new types of connected devices. To describe network endpoints, the more relevant terms appliances and edge devices replaced the term branches. SD-WAN endpoints include connections to environmental sensors, personal wearables, and smart devices in industry, healthcare, finance, mission-critical systems, commercial IoT, consumer IoT, workplaces, and smart buildings and cities.
The use of edge computing in SD-WAN provides a solution to mitigate the bottlenecks that are created when large volumes of data in traditional WANs are backhauled between endpoints and data centers for processing. Software-enabled endpoints in edge computing are designed to process data themselves at its source, manage device and data security, and make decisions about how, where, what, and to where data is routed. Edge computing allows endpoints to be remotely managed by the centralized SD-WAN controller when necessary.
Traditional WAN networks relied primarily on fixed connections, which were unable to cope with user demands for experience networking, a persistent, cheap connection to myriad media-rich applications that used IP technologies and cloud services. Application-centric, transport-agnostic SD-WAN addresses this issue. To improve the user experience, SD-WAN implements intelligent traffic routing, dynamic path selection for data, multiple connectivity options, and virtual network functions (VNFs) that reduce hardware dependence and allow independent endpoint processing.
SD-WAN provides a better network experience for users, reduces IT costs for SD-WAN subscribers, offers new business opportunities for SD-WAN providers, automates edge administration functions, and enables enterprises to securely access cloud services and expand their service offerings.
SD-WANs are ideal for organizations that connect with multiple endpoints that are distributed over a large geographical area, process large volumes of unstructured data, and use cloud services consistently. For a small, localized business, an SD-WAN may be unnecessary and costly to maintain.
Examples of applications where SD-WANs may be used include businesses with multiple remote retail stores, metro Ethernet services that provide multipoint connectivity over a metropolitan area network (MAN), remote access for employees working off-site, and IIoT deployments where big data traffic flows between large numbers of sensors and cloud data lakes, for example in smart environment applications.
The main components in SD-WAN are distributed across three layers, the application layer, the transport layer, and the infrastructure layer.
- Application layer – The SD-WAN service orchestrator is located above the SD-WAN controller and is responsible for SD-WAN lifecycle services.
- Transport layer – The SD-WAN controller manages the SD-WAN edge and SD-WAN gateways, which are connected by virtual, encrypted tunnels.
- Infrastructure layer – SD-WAN gateways manage external connectivity services, like VPN connections. SD-WAN endpoints are implemented as edge appliances.
Centralized software control
Unlike in router-centric WANs, the control and data (also called forwarding) planes are separated in application-centric SD-WANs. This feature is typical of abstracted network architecture.
The terms control plane and data plane are used in network terminology to describe how traffic, typically data packets, travels between devices. The control plane in a network controls how, when, and what data is forwarded, and to where. The functionality of the control plane is software controlled. The data plane in a network is responsible for physically forwarding the data. The functionality of the data plane is traditionally hardware controlled. In SD-WAN, the data plane can be software controlled because of the software-enabled nature of edge appliances and the use of VNFs.
In SDN, it is the separation of control and data planes that allows administrators to remotely manage traffic instead of physically configuring devices and managing them on-site. The separation of control and data planes allows the automation of many administrative tasks like device deployment with zero-touch provisioning (ZTP). Because the control and data planes are separated in SDN, edge endpoints are able to self-manage many functions.
The SD-WAN virtualized overlay allows the use of multiple connection options. In SD-WAN, the physical hardware and transport layer of the network is transparent to the centralized control application that is the hub of an SD-WAN. Connectivity agnosticism allows organizations to create hybrid SD-WANs that are compatible with their existing infrastructure instead of having to build new networks from scratch.
Intelligent routing and dynamic path selection
One of the primary drivers for the development of SD-WAN was the growing need to be able to prioritize different applications, for example low latency is vital for interactive meetings and streaming video, and for low-level sensors in smart worlds.
In SD-WAN, intelligent routing and dynamic path selection allows business-critical applications to be routed across the most suitable available connection in accordance with policies. SD-WAN policies allow administrators to roll out, via the SD-WAN central controller, business-determined policies (profiles) to any endpoint, specifying what priority it has in the network.
SD-WAN policies enable elastic traffic management. This capability is usually what the word intelligence in the term SD-WAN intelligence means and is why SD-WANs are called application-centric WANs. Endpoints in an SD-WAN constantly feedback latency and loss metrics, which are used to automatically, or manually, realign policies where necessary.
Typically, policies in an SD-WAN are based on the service level agreement (SLA) that a business and its customers agreed to. SLAs are applicable to physical devices and software applications. In a commercial environment, some of the issues that may be covered by an SLA include how traffic is monitored, how failover and security are managed, what level of uptime is expected, and what is agreed to as timely traffic delivery. Policies in an SD-WAN are also implemented to ensure compliance with various industry and security regulations.
After policies are defined, they are pushed to individual SD-WAN endpoints. The SD-WAN central controller monitors the performance of devices and applications and automatically migrates traffic in accordance with the associated SLAs. When a policy is changed, for example a new QoS or operational policy is implemented, it can be deployed almost immediately. IT administrators may select to manually or automatically deploy individual types of policy changes.
SD-WAN offers network administrators deep visibility into the behavior of applications and devices across a network.
The first use of the SD-WAN visibility capability is before an SD-WAN is deployed in order to create a baseline for network performance. Visibility provides real-time, session-based metrics so that administrators can set future performance and access requirements for applications based on their SLAs.
After an SD-WAN is deployed, visibility provides information about the real-time performance of applications and traffic in the network, for example how much bandwidth and resources they are using, and whether traffic sources are trustworthy or not. Visibility is critical for administrators to be able to continuously monitor the network and to identify policy exceptions or degraded application performance.
In SD-WAN, edge refers to all the networking and security devices that connect distributed locations, and to the applications and services delivered from data centers and the cloud. SD-WAN edge performs security and optimization functions at the network edge. WAN optimization tasks include data compression, data deduplication, data caching, reduced latency, protocol acceleration, and QoS so that low-priority applications consume less bandwidth. Edge computing enables resource-intensive processing to be performed locally, improving response times and saving bandwidth.
In SD-WAN, edge appliances – usually specialized equipment supplied by vendors or existing customer premises equipment (CPE) and virtual CPE, based on VNFs – are computing platforms with built-in capabilities to build virtual overlays for connection to other components in the network.
Edge appliances are used to process and analyze data in real time before taking appropriate action. For example, in a CCTV network where video surveillance cameras monitor vehicle traffic, an edge appliance could identify an accident having taken place and alert emergency services, routing only relevant information about the accident.
VNFs are network functions that traditionally ran on proprietary hardware devices but are run as software in SD-WANs. Examples of VNFs include firewalls, load balancers, network address translation services (NATs), monitoring and notification services, and virtual routers. The behavior of VNFs at the network edge can be programmed remotely through an SD-WAN’s centralized controller.
The SD-WAN orchestrator sits above the SD-WAN centralized controller. The SD-WAN orchestrator provides additional management functionality for the SD-WAN service lifecycle and for the virtualized components it uses.
SD-WAN orchestration helps enterprises to manage a typical multi-vendor SD-WAN ecosystem, hide some of the complexity inherent in bare-bones SD-WAN solutions, support service chaining, and integrate with back-office operations systems.
While the functionality, and use, of the terminology is somewhat blurred, an SD-WAN controller is focused on control, while an SD-WAN orchestrator is focused on management. By this definition, the SD-WAN controller is responsible for initiating actions in the control and data planes at a low level, while the SD-WAN orchestrator is responsible for managing the control and data planes at a higher level.
SD WAN orchestrator functions include accounting, fault handling, performance management, and configuration. The main goal of SD-WAN orchestration is to facilitate the provisioning of customer services, requested by users through an external web portal, and to monitor and allocate the resources needed to guarantee application fulfillment in line with associated SLAs.
There are two types of SD-WANs. Overlay SD-WANs create virtual networks on top of physical networks. Tunnel-free SD-WANs use session-based intelligent routing for network traffic, eliminating the need for tunnels.
Overlay SD-WANs operate as virtual networks on top of existing physical networks. Tunneling solutions are used to create these virtual networks. Tunneling supports packet encapsulation, which is a way to transport data across a network that uses protocols not supported by the network. Tunneling also allows traffic segmentation for better security and more efficient allocation of bandwidth.
However, tunneling in SD-WANs may result in bandwidth waste when large numbers of small packets of data are sent over networks, because tunnels cannot efficiently adjust bandwidth use based on packet size. In addition, routers can only support a finite number of tunnels. Tunneling may result in latency and package dropping.
The alternative to overlay SD-WANs is tunnel-free SD-WANs, which, while still using a virtualized overlay, adopt a different routing method.
Tunnel-free SD-WANs use a session-based, dynamic routing method called secure vector routing (SVR).
Overlay SD-WANs forward data in packets, whereas tunnel-free SD-WANS forward data using sessions. SVR creates unique sessions for every tenant on a network, each with its own NAT and without the overhead of tunnels carrying packets. A tunnel-free SD-WAN can accommodate thousands of sessions.
There are three types of SD-WAN implementations: on-premise-only, cloud-enabled, and cloud-enabled with a backbone.
On-premise-only implementations are designed for companies that mainly use in-house applications and have minimal requirements for cloud services. SD-WAN plug-and-play hardware – called SD-WAN “boxes” – is managed at branches by branch network operators. Small, localized business use on-premise-only SD-WAN implementations.
Cloud-enabled implementations use an SD-WAN box that is connected via a virtual gateway to popular cloud services like Dropbox, Amazon Web Services (AWS), Office 365, or SalesForce. Most medium-sized enterprises use cloud-enabled implementations.
Cloud-enabled connections with backbone combine internet connectivity and private point of presence (PoP) connections. PoPs are the physical access points at which two or more networks or edge components share a connection. PoPs house servers, routers, and other physical interface equipment, and are usually located in SD-WAN providers’ data centers. Multiple PoPs combine to establish internet exchange points (IXPs). IXPs are physical geographical areas that ISPs and CDNs agree to share to transport traffic outside their own networks. The internet is an example of a cloud-enabled connection with backbone.
Not all SD-WAN solutions include a full security stack. When SD-WAN is deployed over public broadband, networks may be open to additional security risks. With basic SD-WAN solutions, administrators may have to integrate additional security measures, like intrusion detection systems (IDSs), IPsec-based VPNs, next-generation firewalls (NGFWs), and gateway and edge security software, and apply segmentation to application policies. When SD-WAN solutions include vendor security, they are marketed as secure SD-WAN.
Internet Protocol Security (IPsec) is a network protocol that authenticates and encrypts data over an IP network. NGFWs combine traditional firewall functionality with device filtering capabilities, deep packet inspection, intrusion detection and prevention, and anti-malware.
SD-WAN edge appliances are connected to other network components by encrypted tunnels. Security, like data scanning, then happens at the network edge instead of having to be routed via a data center, potentially degrading performance.
SD-WAN segmentation offers additional security. To ensure security and compliance for network data, traffic from different organizations needs to be isolated. IT administrators can isolate traffic by defining segments. Network segments can be viewed as logical subnetworks, typically classified by data type, organization, or location. In SD-WAN, administrators can deploy contextual security policies for specific subnetworks. SD-WAN centralized software enables administrators to consolidate network segments and to distributed applications from the SD-WAN central hub, ensuring business continuity.
SDN versus SD-WAN
SDN is a network architecture that allows networks to be centrally controlled by software applications instead of relying on physical controls on devices, for examples switches. The SDN model was originally designed to improve operational efficiency. as a concept defines how an organization's entire network can be centrally managed. SD-WAN is an implementation of SDN.
All SDN products and technologies provide centralized software control, distributed data forwarding, application-driven traffic routing, and a separation of the control and data planes.
The main difference between SD-WANs and SDN is that SDN products usually focus on network functionality, for the most part at the LAN level. SD-WAN focuses on network functionality at the WAN level, especially between sites that are geographically remote from each other.
MPLS versus SD-WAN
SD-WANs are touted as a cost-effective alternative to private MPLS networks. Because MPLS is usually outsourced to independent service providers, it is reliable but can be expensive.
MPLS is not a service. It is a routing technique that directs traffic from one node in a network to the next based on short path labels instead of long network addresses and routing tables. MPLS is used to speed up the flow of traffic in a network and to ensure the reliable delivery of data packets.
However, MPLS reliability comes at a cost of high bandwidth usage compared to SD-WAN, and MPLS solutions are geographically limited to locations where dedicated MPLS circuits are available.
In SD-WAN, policies applied to WAN devices enable automatic, intelligent routing managed by the centralized controller. With MPLS, network paths are predetermined and cloud traffic must be backhauled through a data center or head office.
In the real world, SD-WAN and MPLS usually provide a hybrid network solution. SD-WAN allows organizations to continue to use MPLS circuits, add less costly alternatives connections, like IP, and incorporate VPN security.
Enterprise VPNs versus SD-WANs
SD-WANs provide a wide array of network functionalities through multiple connection types, while VPNs are designed specifically to secure and encrypt connections between two endpoints.
VPNs do not include SD-WAN features like QoS, dynamic path selection, and application-aware routing, so latency can be an issue between geographically disparate endpoints.
SASE vs SD-WANs
Secure access service edge (SASE) is a network architecture provided by cloud security brokers that combines SD-WAN capabilities and security as a cloud service for enterprise customers.
SASE solutions incorporate SD-WAN functionality and integrated security functionality, including zero-trust network access. SASE provides cloud-native security tools as a service directly to the connection source, the edge, rather than to the enterprise data center.
SD-WAN is hardware-agnostic and connectivity-agnostic, allowing businesses to use and combine multiple types of transport options and devices, improving WAN agility, realizing cost benefits, and ensuring network reliability.
SD-WANs are not a replacement for other types of WAN technologies and techniques like MPLS. SD-WAN introduce more flexibility into existing business networks and operates as a framework for managing them, allowing “the best of all worlds.”
SD-WAN policies enable the automation of many network administrative tasks. SD-WANs offer zero-touch provisioning (ZTP), which is the automatic configuration of hardware devices when they are added to a network.
SD-WAN architecture allows IT departments complete visibility across the entire network from a central location, enabling more efficient security management, pervasive monitoring across all devices, and faster deployment of changes or new branches.
Failover for traditional WANs depends on the state of a link, forcing a dependence on routing protocols. With SD-WANs, real-time status monitoring ensures all services can be switched over to another carrier when necessary, whether the link status is up or down.
New SD-WAN branches are easily set up. SD-WAN hardware is usually shipped to a site, plugged in, and then remotely configured via the centralized controller management console.
Traditional WANs are unable to cope with an increasing demand to access data anywhere rather than from predetermined data centers. SD-WANs support modern enterprise applications hosted anywhere, for example in public and private clouds, on-site at organizations’ premises, and with SaaS services.
Many people today work remotely with some companies employing remote workers across the world. Remote workers need fast broadband connections to cloud-hosted and data center-hosted applications. SD-WANs allow enterprises to take advantage of edge technology to connect geographically dispersed satellite offices and work-from-home employees directly to the enterprise’s head office, to edge endpoints, and to cloud services.
Because control in an SD-WAN is centralized, fewer skilled network professionals need to be employed at an organization’s branches.
The controller’s management portal in an SD-WAN identifies traffic flows for all applications and provides performance metrics for the entire network at a centralized location to ensure SLA guarantees are met.
SD-WAN supports business-driven, user-driven, and application-driven prioritization and security policies.
Tunneling in overlay SD-WANs may result in bandwidth waste when small packets of data are sent over networks because tunnels cannot efficiently adjust bandwidth use based on packet size. The alternative is tunnel-free SD-WANs.
Split tunneling allows administrators to split traffic between a public network that employs a firewall and a local network that does not, saving firewall throughput costs. However, centralized monitoring cannot always detect application performance issues at remote sites when SD-WAN has implemented split tunneling.
Because the data and control planes in SD-WANs are separated, there is inevitably a delay transmitting data from a router to the centralized controller. In a scenario where are numerous control plane events, this could increase latency.
Two functionalities that basic SD-WAN solutions lack are an integrated management system and robust, built-in security. This means organizations may have to add security and orchestration layers to their SD-WANs, which, while providing the additional functionality needed, add complexity.
Because of the complexity of SD-WANs and the number of interrelated components – for example the numerous devices, LANs, WAN circuits, and links at remote locations – troubleshooting slow connections can be difficult.
Relying on performance metrics without practically testing applications, SD-WAN administrators may be unaware of the end user’s real-life experience.
SD-WAN does not solve internet middle-mile performance issues. When data leaves an SD-WAN, internet backbone providers enable the data to be carried over long distances, called the middle mile, by peering with other network carriers. For example, the internet is founded on the use of multiple global backbones that transport data around the world. If a carrier backbone does not meet the bandwidth needs of its network, it may create a bottleneck. The performance of appliance-based SD-WANs is not usually backed by carrier SLAs, making it all but impossible for organizations to identify and resolve performance issues when data crosses multiple backbones. One solution is to pay for SD-WAN as a service (SDWaaS), which provides enterprises with an SLA.
Using an SD-WAN does not guarantee cost savings or network performance. While broadband internet is inexpensive, it is not always reliable in many countries; once traffic leaves the SD-WAN network, it is in the hands of the often-congested public internet. Most enterprises use broadband internet to grow their service offerings, rather than replace MPLS. The most common SD-WAN solutions are hybrid ones. In addition, overseeing SD-WAN networks requires new, and sometimes costly, skill sets.
SD-WAN solutions are not entirely plug-and-play; there are multiple implementation models and vendors often offer solutions with varying functionality. Integrating a new SD-WAN into an existing network can be time consuming and costly. Most organizations have to go the managed-service-provider route, giving up the control they envisaged they would gain by adopting SD-WAN. Managed SD-WAN solutions are usually charged at premium rates and may lock organizations into the services of a single provider, offsetting the advantages of SD-WAN’s centralized control and technology independence.
Replace proprietary routers
One of the reasons enterprises choose SD-WANs is to reduce the operating expense of proprietary hardware and CPE. Enterprises can reduce costs by replacing proprietary routers with VNF-enabled edge appliances, which require less maintenance by on-site engineers.
Leverage VPN security
SD-WAN implementations can be configured to use VPNs, which use end-to-end encryption.
Use multiple connectivity technologies
SD-WAN is transport-agnostic. SD-WAN allows enterprises to use any combination of connectivity technologies.
Reduce MPLS costs
MPLS is expensive. SD-WANs may use WAN-optimized IP to deliver a comparable MPLS user experience more cost effectively.
Enhance user experience
Because SD-WAN is a solution for networks that cover geographically disparate sites, latency issues can be a challenge. SD-WAN, together with WAN optimization, can work together to overcome latency challenges.
Prioritize application access
Application-centric SD-WAN allows organizations to prioritize applications. For example, cloud-facing enterprises choose SD-WANs to prioritize access to cloud-based business applications.
An SD-WAN is designed to automatically respond in real time to network interruptions, like traffic bottlenecks, brownouts, blackouts, device configuration changes, device failures, human error, and link failures. When an SD-WAN cannot automatically fix a software failure, unlike in the case of router-centric WANs, administrators can make manual adjustments via the central controller.
However, the edge in SD-WANs often extends beyond the typical office-branch scenario, for example in IIoT applications, sensors add a new level of complexity to networks. In the future, the edge is predicted to expand to encompass even more diverse kinds of endpoints, including humans. In addition, while basic SD-WAN solutions offer some level of functionality for the main SD-WAN features, not all SD-WAN solutions are created equal, for example not all SD-WAN solutions provide end-to-end orchestration of WAN edge functions.
For these reasons, SD-WAN may benefit from additional external monitoring solutions, like Paessler PRTG Network Monitor, which provides the unlimited scalability needed by continually evolving SD-WAN technologies and the growing number, and types, of endpoints.